Introduction: Explain overall goal and purpose. Given a message (and potentially a key), compute some small value that we can recompute later to ensure the message has not been modified.
Part 1: Tales of Fails Thinking that encrypting data makes it hard to modify Example: Storing state information in a cookie and encrypting it vs. RC4 malleability Example: Download and execute an encrypted Python script vs. CBC block deletion, duplication, or exchange
Using primitives that are not intended to be cryptographically secure Example: SSH protocol version 1.5 and CRC as an integrity check Example: WEP and CRC as an integrity check
Rolling your own MAC given a hashing algorithm Example: Flickr length-extension attack H(key||message)
MAC-then-encrypt vs. Encrypt-then-MAC Example: POODLE (in addition to padding bug)
Using a raw hashing algorithm to verify passwords Example: 2012 LinkedIn unsalted password hash breach
Part 2: Tools One-way functions Understanding their strengths Preimage resistance: Given h, find any m such that H(m) = h Second preimage resistance: Given m, find any m' such that H(m') = H(m) Collision resistance: Find any m1 != m2 such that H(m1) = H(m2) Hashes are not the only way to build a one-way function, but they are designed to be fast. Observe that hashing algorithms seem to have a shorter lifespan than other cryptographic primitives (e.g. MD5 collision resistance is broken, SHA1 is weak and likely to be broken soon). Design protocols/systems accordingly.
Message authentication codes Like a one way function, but with a symmetric key A and B exchange messages and want to detect modifications from third party C Hashes are not the only way to build a MAC, but are fast and common HMAC(k, m) = H[ (k ^ opad) || H((k ^ ipad) || m) ] opad, ipad are constants There are theoretical reasons for this construction. Not necessarily broken even if a collision is found in the hashing algorithm. Don't try to build your own MAC.
Authenticated encryption Combine encryption and message authentication into a single mode. Example: AES in GCM mode.
Digital signatures Asymmetric message authentication. A sends messages to B, and wants B to detect modifications from third parties, and wants third parties to detect any modifications by B Most rely on a one-way function internally. RSA, ECDSA
Part 3: If you learn nothing else from this talk... If you need encryption in transit Use TLS or SSH with AES in GCM mode to provide confidentiality and integrity If you insist on implementing your own encryption Use AES in GCM mode For passwords Use a KDF designed for the task (PBKDF2, Bcrypt, scrypt, etc.) Enforce a minimum length Use password breach lists to blacklist known passwords
Jacob Thompson is a Senior Security Analyst for Independent Security Evaluators, where he specializes in high-end, custom security assessments of computer hardware and software products. With 10+ years' experience, a propensity toward hands-on security assessment, and proficiencies in reverse engineering, DRM systems, cryptography, system and application security, and secure system design. Through his 3 years' work with ISE, Mr. Thompson has partaken in multiple major vulnerabilities and assessments, customer visits, and progress presentations. He has presented his research at DEFCON 21, BSides DC 2013 & 2014, DERBYCON 4.0, and ToorCon 2014.